Mapping the journey to a cloud-native

SIEM with Azure Sentinel

Migration considerations for moving your SIEM to the cloud
Today’s security operations (SecOps) teams are being asked to do more with less, all while protecting
an increasingly decentralized digital estate. By harnessing the flexibility and power of a cloud-native
SIEM, you’ll enable your team to focus on stopping real threats instead of managing infrastructure or
chasing false positives.

Azure Sentinel is a cloud-native SIEM + SOAR (security information and event management +
security orchestration and automated response) solution, collecting and analyzing data across all users,
devices, and applications—both on-premises and in multiple clouds. Powered by artificial intelligence
(AI) and enhanced with automation, Azure Sentinel enables real-time detection without the costly
infrastructure required by an on-premises SIEM. Thanks to its cloud-native nature, Azure Sentinel is 48
percent less expensive than legacy SIEMs, 67 percent faster to deploy, and enables 80 percent less
investigation effort.*

Planning and starting your migration

A SIEM migration is a significant endeavor, and there are several factors to consider upfront.

The phases of migration

PHASE

1
There are three phases of a typical Azure Sentinel migration architecture.
On-premises SIEM architecture: Analytics and database functions reside fully on-premises—
your “before” state.

Side-by-side architecture: Two SIEMs, one on-premises and one in the cloud, are used at the
same time. Typically, you’ll need to do this for some period of time during migration.

Cloud-native architecture: Both security analytics and data storage reside in the cloud. This is
your full Azure Sentinel deployment.

Identify your key priorities and use cases

You will likely have a massive amount of content to migrate; so, before you begin—first identify
your key use cases, aka P0 priorities. Which detections are actively useful to your business? What
are your key priorities?
Tip: Start by evaluating which detections have produced results within the last year.

Identify opportunities to modernize Some key evaluation areas:

During the side-by-side phase, your team is empowered • Attack detection coverage
to do more than just move existing use cases. Expand • Responsiveness
your threat-hunting and remediation capabilities with • Mean time to remediate (MTTR)
Azure Sentinel’s built-in UEBA and automation, enabling • Hunting speed and agility
you to extract more value from your traditional SIEM. • Capacity growth friction

* The Total Economic Impact™ of Microsoft Azure Sentinel, by Forrester Consulting, 2020
 Operating side by side with a legacy SIEM
Actions to undertake while operating a transitional or extended side-by-side deployment.

PHASE Migrating data: Ask yourself, is this data source valuable? Think holistically about your use

2
cases, then map the data required to support them. Identify any gaps in your visibility.

Migrating detection rules: Translate existing detection rules to map to Azure Sentinel.
Sentinel also provides a powerful query language that can be used across other Microsoft
solutions, such as Microsoft Defender for Endpoint and Application Insights.

Migrating analytics: Azure Sentinel has more than 400 built-in detections covering more
than 40 connectors. Turning on UEBA analytics will provide immediate insights into behavioral
anomalies.

Migrating automation: Where do you really need to save time? Automated workflows
enable you to group and prioritize alerts into a common incident. Also, automated playbooks
in Azure Sentinel enable easy integration with third-party ticketing solutions.

Finishing the migration (retiring the legacy SIEM)

Moving away from your legacy SIEM enables deep correlation across all data sources and helps
your SecOps to eliminate infrastructure and licensing costs. A brief checklist for retiring your
PHASE

3
legacy SIEM includes:

People: Make sure everyone on your team is trained on Azure Sentinel and feels comfortable
leaving the legacy SIEM.

Technology: Check critical data to make sure sources and alerts are available in Azure
Sentinel. Archive all records of past incidents and cases (raw data optional) to retain
institutional history.

Processes: Update investigation and hunting processes and ensure that all key metrics can
be obtained completely from Azure Sentinel. Create custom workbooks, or use built-in
workbook templates to quickly gain insights as soon as you connect to data sources. Make
sure all current cases are transferred to the new system (including required source data).

Learn more
Visit the Azure Sentinel homepage and download the white paper:
Azure Sentinel Migration Fundamentals ▶